The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
A computer network typically includes multiple network elements. These network elements may include hosts, such as personal computers and workstations, and devices that manage network traffic from the hosts, such as hubs and switches. Hubs and switches have ports to which other network elements may connect. For example, a first host may be connected to a first port of a switch at the same time that a second host connects to a second port of the switch. The switch may be connected to other network elements within the network. The first host and the second host may access the other network elements through the switch.
Security is an important consideration when networking one or more network elements together. If a network is not secure, then an unauthorized device may be able to access and even modify private information that is stored on other network elements that are connected to the network. For example, in an insecure network environment, a user might connect an unauthorized laptop computer to a port of a network switch and thereby gain access to information and resources that the user has no permission to access.
To increase network security, authentication protocols have been implemented in some network switches. One popular authentication protocol is Extensible Authentication Protocol (EAP). EAP is defined in IETF Request for Comments (RFC) 2284. EAP is an extension to Point-to-Point Protocol (PPP) that is used to connect a host to a network. When EAP is used in conjunction with the Ethernet protocol, it is commonly referred to as EAP over Ethernet (EAPoE). Cisco Catalyst series switches, from Cisco Systems, Inc., support EAPoE.
When a host initially attempts to access a network through a port of a switch that supports EAPoE, the switch requests information from the host that will allow the switch to determine whether to grant access to the host. Based on a response from the host, the switch may or may not grant the host access to the network. According to at least one implementation of EAPoE, once a switch has granted access to a host on a particular port, the port remains “open” thereafter. That is, once a switch has granted access to a host on a particular port, the switch does not thereafter request information, through that port, that the switch would use to determine whether to grant access to the host that is connected to that port.
For switches that are configured to allow only one host to be connected to a given port of a switch, the above implementation may be sufficiently secure. However, because the number of ports on a switch is limited, it is often desirable for more than one host to access a network through a given port of a switch. For example, a hub may be connected to a particular port of a switch. Multiple hosts may be connected to the hub. The hub receives network traffic from each of the hosts and broadcasts that network traffic to the particular port of the switch.
For another example, a wireless Local Area Network (LAN) station may be connected to a particular port of a switch. Multiple hosts may communicate with the wireless LAN station. The wireless LAN station receives network traffic from each of the hosts and transmits that network traffic to the particular port of the switch. Thus, multiple hosts may seek access to a network through a single port of a switch.
When a switch allows multiple hosts to seek network access through a single port, EAPoE may provide insufficient security. After such a switch authenticates a first host that attempts to access a network through a particular port of the switch, the switch will not thereafter attempt to authenticate any other host that attempts to access the network through the particular port. All attempted connections through an open port would be allowed. As a result, unauthorized network elements may obtain network access through the particular port.
Because EAPoE is a widely known and accepted standard, and because so many existing switches and client programs implement the EAPoE protocol in the manner described above, replacing existing switches and programs with switches and programs that use an authentication protocol other than EAPoE is not ideal or economical. Some devices and programs support authentication schemes such as Lightweight EAP (LEAP) protocol, Protected EAP (PEAP) protocol, or Microsoft Challenge Authentication Protocol (MSCHAP), but many do not.
Although some switches may be configured to allow only one host to connect to a network through a single switch port, it is advantageous to allow multiple hosts to connect to a network through a single switch port so that fewer total switch ports (and therefore fewer switches) are needed. Many legacy networks implement multiple hosts per switch port. When adopting the IEEE 802.1x standard, users of legacy networks are forced to either forego the security benefits of 802.1x port security, or upgrade their entire infrastructure to permit only a single host per port. The former option fails to provide adequate security, and the latter option is usually not economically viable. Furthermore, configuring a switch to allow only one host to connect to a network through a single switch port prevents multiple hosts from accessing a network through a single wireless LAN station.
Based on the foregoing, there is a clear need for a way to authenticate multiple network elements that access a network through a single network switch port.